It is not the greatest feeling when the ASD releases the cyber threat report and the average reported cost of cybercrime to businesses has only gone up.
There is a silver lining. Entry points for businesses largely revolve around identity and business email compromise. With a focus on email as an entry point, it reminds everyone that people are constantly being targeted by cybercriminals.
There are plenty of vendors offering products and services. One we have heard mentioned repeatedly is Phriendly Phishing.
Back in the ASD report, dollar values roughly double with business size, from approximately $50,000 for a small business to over $200,000 for a large organisation, with year-on-year gains of 14%, 55%, and 219% respectively.
One highlighted point is vulnerabilities in edge or cloud computing. The first two weeks of the 2025 Cyber Security Awareness Month were dedicated to logging and legacy technology, both relevant to compromise of edge devices.
It was clearly deliberate that the most common cyber security incident for critical infrastructure and government agencies was through a compromised asset, network, or piece of infrastructure.
Without turning this into a TLDR of the report, a final point: organisations already had capability at their fingertips but left it out of mind when the environment was set up.
The report notes seven government organisations that already owned Microsoft E5 licensing had unidentified vulnerabilities caught simply by enabling Defender for Endpoint. That is a wake-up for organisations that have paid for the license but have not yet implemented the full protections on offer.